Custom IAM Policies contd
Activity 3: Create a policy to view every thing ec2 with conditions
- User should be admin in mumbai but in other regions this user should have readonly permissions on ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"ap-south-1"
]
}
}
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"ap-south-1"
]
}
}
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"ap-south-1"
]
}
}
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"ap-south-1"
]
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
],
"aws:RequestedRegion": [
"ap-south-1"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetSecurityGroupsForVpc"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
}
]
}
Activity 4: Create an IAM Policy
- Which allows every thing ec2 but not deleting anything.
- full ec2 access but not delete anything
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": ["ec2:StartInstances*", "ec2:StopInstances*"],
"Effect": "Deny",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}
Activity 6: Resource Specific condition
- Lets write an IAM Policy to give user full acess on a specific ec2 and read acesss on other ec2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetSecurityGroupsForVpc"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "arn:aws:ec2:ap-south-2:381491878286:instance/i-0c91e48679e4c2868"
}
]
}
Activity 7: I want to give full acess to ec2 instances if they have tag env with value dev
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetSecurityGroupsForVpc"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/dev" : "env" }
}
}
]
}
